Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Google Software Hardware

Google Developers Create API For Direct USB Access Via Web Pages (softpedia.com) 131

An anonymous reader writes: Two Google developers have uploaded an unofficial (for now) draft to the World Wide Web Consortium's Web Incubator Community Group (W3C WICG) that describes a method of interconnecting USB-capable devices to Web pages. The API, called WebUSB, allows device manufacturers to provide special "registry and landing pages" where they can host JavaScript SDKs for their USB-capable devices. Site owners can load these SDKs as iframes inside their websites, and allow a site to access and relay commands (via the iframe to the browser's WebUSB API) to the actual device. To protect privacy and security, the WebUSB API also comes with a CORS-like system that prompts users for access to their devices to avoid abuse and Web-based fingerprinting. The system is also backward compatible with devices created before the standard's approval (if it gets approved).
This discussion has been archived. No new comments can be posted.

Google Developers Create API For Direct USB Access Via Web Pages

Comments Filter:
  • by Anonymous Coward on Monday April 11, 2016 @01:34PM (#51886161)

    That doesn't sound like it could ever be abused...

    • by Ukab the Great ( 87152 ) on Monday April 11, 2016 @01:36PM (#51886177)

      It's just JavaScript. What could go wrong?

      • Indeed. But what other technology would be good for something server side to interact with something on the user's local machine via web browser?

        Assuming the security bugaboos can be worked out, I can see this being good for things like authentication

        • by DarkOx ( 621550 ) on Monday April 11, 2016 @01:46PM (#51886271) Journal

          Yes, give remote code the ability to talk directly to a DMA capable device. No problems there. This and webGL could literal be a disaster if someone slips up.

          • by mlts ( 1038732 ) on Monday April 11, 2016 @02:04PM (#51886417)

            Not if; when. I can see this code being used as a vector to flash rogue firmware to devices. DMA access? We already have a problem with hardware slurping keys out of RAM with DMA... now imagine websites that can get this ability. I can see ransomware using this ability to bypass many different things to ensure a computer is unusable, perhaps even firmware flashes so the computer's BIOS runs the ransomware on that level.

        • Assuming the security bugaboos can be worked out,

          Okay, I admit- that made me laugh. I mean, how hard could it be to work out all the security bugaboos? I see no problem with this plan, none whatsoever, especially based on the phenomenally secure state of the interweb right now. Why, I can hardly wait to plug some of these goodies into my PC to see what happens!

        • by raymorris ( 2726007 ) on Monday April 11, 2016 @04:24PM (#51887351) Journal

          I just read the spec. It might be more accurate to say this API allows USB devices to offer data of their choosing to whitelisted web scripts. The USB device decides what data it gives to whom; web sites can't do anything with random USB devices that don't explicitly offer web endpoints. At the end of the day, it actually doesn't effect security in a fundamental way at all - USB devices can ALREADY send arbitrary data to web pages, just in an ad-hoc way rather than a well-defined , standardized way.

          In a way, it's a lot like first- party cookies , with the data on the usb device rather than on the hard drive.

          The USB device defines:
          https://login.ebay.com/ [ebay.com] may ask me for "username".

          No other web site can get anything from the USB device, and the whitelisted URL can only request the specified data item.

          Security considerations are of course important. At the same time, JavaScript can ALREADY read your most important USB devices - it can see your keyboard presses and mouse movements. If a USB device wants to send data to a web page, it can already declare itself to be a keyboard and start sending keypresses. (Credit card readers have done exactly this for decades, pretending to be keyboards .) This API defines a standardized way for the USB device to send data in a more secure way than by pretending to be a keyboard.

          Yes, one should consider security. With this, primary the security of the USB device- it's one other way for a malicious USB device to do bad things. But USB devices can ALREADY pretend to be a keyboard, use a hotkey sequence to fire up cmd.exe, and run any commands they want. Malicious USB devices are really bad with or without this new API, so the API doesn't increase risk by much.

          • by Anonymous Coward

            JavaScript can't be used to implement a logger... unless you give it access to USB. If this "protocol" is really the way you describe it, then it have absolutely nothing to do with USB. If it's actually allowing JavaScript to access the USB protocol, then it will be a horrible nightmare.

            Nothing to see here. Yet.

            • > JavaScript can't be used to implement a logger.

              It can already log anything to a remote server via:
              XMLHttpRequest.send(logmsg)

              It can already store logs locally:
              Document.Cookie('logline1', logmsg);

              Now, if and only if a USB device offers to store the log, JavaScript can provide for storage there.

          • The security risk of this spec needs to be weighed against benefit. From your description, the benefit seems lower than I first assumed (my mind jumped to websites being able to access USB devices directly). The security concerns might be mitigated, but the benefit is also. Looks like a wash to me, but I may lack imagination...
            • The proposed benefit is cross-platform drivers. Given a USB device that isn't one of the device types with generic drivers built into the OS, a JavaScript driver could be provided that will run on any OS - Windows, Linux, Mac, FreeBSD, Android - anything with a web browser.

              Consider as an example a USB-connected sensor board or relay board . The USB device declares that it will accept input only locally stored JavaScript, from file:// URLs. The software can then be an html file with an html GUI and JavaScr

          • It does seem as if the intended usage of this protocol is to bring back dongles: want to use the website? You need a "key" to plug in to your USB port. Hooking up a dongled speaker will grant you access to exclusive content, and so on. It seems the proposed protocol intends to make this easier than it now is, getting rid of the workarounds you mentioned.

            In a way, it is a return to physical security, locking the key into hardware. But it also runs counter to what Apple and Google are also pushing for, namely

          • by Tom ( 822 )

            it actually doesn't effect security in a fundamental way at all

            Famous last words.

            This API defines a standardized way for the USB device to send data in a more secure way than by pretending to be a keyboard.

            Pretending to be a keyboard has the advantage of having a very small exposed section. Most importantly, the part that interacts with the browser has gone through the whole OS stack and it is highly unlikely that the browser can do anything with it that is outside the "receive a key code" area.

        • Assuming the security bugaboos can be worked out

          You can "work out the security bugaboos" by not allowing fscking remote access to your USB devices (this has to be one of the most braindamaged ideas since ActiveX). This means removing WebUSB, which is a bit of a catch-22.

      • Re: (Score:3, Funny)

        by Anonymous Coward

        Indeed. Now you can plug in a USB drive you found in the parking lot and infect the entire web with Cryptolocker.

        This could be the most productive thing to happen to humanity since evolving the ability to make tools.

      • by JustAnotherOldGuy ( 4145623 ) on Monday April 11, 2016 @02:42PM (#51886693) Journal

        It's just JavaScript. What could go wrong?

        Nothing. Nothing could possibly go wrong with this idea.

        As we've seen, the Internet Of Random Things has had a unblemished, stellar record of security and privacy practices. This is because the developers and manufacturers that make Random Things Connected To The Internet are experienced, careful, and spare no expense when it comes to securing these wonderful, life-enhancing gadgets. Your privacy and safety are their first concerns.

    • by lgw ( 121541 ) on Monday April 11, 2016 @01:46PM (#51886265) Journal

      That doesn't sound like it could ever be abused...

      There have been some eye-opening kernel exploits found using the USB bus, but if that's limited to direct physical access it sound less scary. With this change? Eesh.

      This is like a remote control for a chainsaw: it sounds handy, but you know it will end in tears.

    • That doesn't sound like it could ever be abused...

      I'll install it right before I fire myself out a cannon without any safety equipment.

      My goodness, this is hilariously awful as a use case concept.

      If I trust software enough to let it talk to USB, I want to also trust that it is under its own control. Here, even if you thought you could trust it before, it can be changed server-side without notification, so you wouldn't be able to continue trusting it while using it. You wouldn't need to get infected with a virus or malware to lose control of your USB device

      • That doesn't sound like it could ever be abused...

        I'll install it right before I fire myself out a cannon without any safety equipment.

        A USB connected cannon?

        • by slew ( 2918 )

          That doesn't sound like it could ever be abused...

          I'll install it right before I fire myself out a cannon without any safety equipment.

          A USB connected cannon?

          On the internet, just ask and you shall receive [amazon.com]...

    • Comment removed based on user account deletion
    • Yes it could be abused. However Google tried to put in safeguards in their specs that is a bit more useful then Microsoft did with activeX which is still the bane of Internet security.
      However the web is no longer a content delivery engine but a cross system application platform. Sure you may not like it, but it turned out it be that.
      But as an application platform it will need to grow and change with the times. If not then you will get less planned out 3rd party crap again on your browser like ActiveX, Java

  • by Anonymous Coward on Monday April 11, 2016 @01:35PM (#51886163)

    Remember when Pale Moon devs wrote:

    This is sort of an open letter to the community, because we're facing some difficult times in the medium-to-long future with the way the web is developing away from actual standards, and "standards" being currently mostly dictated by the same people who run the biggest browsers (Google, Microsoft) and web services (Google again, media sites, Facebook) -- including the W3C being heavily influenced and/or strong-armed into accepting standards that rather describe the way "the big three" are behaving than what is logical or should actually be part of clear, separated domains for different technologies involved in creating the Web.

    This API is for ChromeOS 100%

  • by Anonymous Coward

    How long until the "security" is bypassed and websites can arbitrarily access any and all USB devices on the system?

  • by Anonymous Coward

    You might as well make a Web API that silently installs a kernel driver at this point.

    • by Anonymous Coward

      If it's a sandboxed kernel that doesn't sound so bad except for the silent part.

      Web APIs are the future. I only do GPU coding in WebGL because it is the most cross-platform, and I only bother writing applications in Javascript for the same reason.

  • Keep your dirty JavaScript off my USB devices.
    • Say you have been given a particular USB device as a gift, but the program to make the USB device work is available only for Windows, and your computer runs GNU/LInux. Would you prefer to buy and install a copy of Windows or refuse the gift?

      Or if you happen to be a Windows user, I will reword:
      Say you have been given a particular USB device as a gift, but the program to make the USB device work is available only for OS X, and your computer runs Windows. Would you prefer to buy a Mac or refuse the gift?

      Or are

      • by Junta ( 36770 ) on Monday April 11, 2016 @02:16PM (#51886503)

        I'd rather not bind USB devices to only work under a web browser.

        It's the job of the OS to manage the hardware. To codify a bypass to let a particular application do whatever it wants seems unreasonable.

        Note for USB devices, this is relatively more rare, as the USB forum codifies standards so that different vendors of common devices all look the same. A usb mass storage device has the same abstraction regardless of underlying technology. A usb network device is implementing one of a handful of network protocols (there have been some revisions on that setup). A usb camera looks the same regardless of vendor.

        So if you have some wacky precious snowflake of a device that is so cutting edge that no driver model has been established for it, this lets a hypothetical web app skip a few months of hand wringing waiting for a standard. In exchange for this modest benefit, you are discouraging pursuit of standards, empowering javascript to do more insidious things, and discouraging device support for non-browser access (there are more applications on a system than a web browser, and encouraging device vendors to target the browser *instead* of the OS driver model is just nasty).

      • Compared to giving open-ended access to USB bus to the browser? Yes, I would rather use a VM.
      • 99% of USB devices work with completely generic drivers. The whole "I need a vendor-specific driver for a device that uses completely standard protocols" is mostly a Windows-only thing. Plus there's USB passthrough for virtualization anyway, so worst case you can jus fire up a Windows VM.
        • 99% of USB devices work with completely generic drivers.

          True only because keyboards, mice, and flash drives are produced in mass quantities. I was referring to more specialized devices that do not "use[] completely standard protocols", such as printers, webcams, and fitness trackers.

          Plus there's USB passthrough for virtualization anyway, so worst case you can jus fire up a Windows VM.

          Virtualizing Windows requires purchasing and installing a genuine copy of sufficiently recent Windows for a given machine.

          In addition, running a second OS alongside your primary one also requires purchasing data transfer allowance from your Internet service provider to keep that OS u

    • Take your stinking javascript off my USB devices, you damned dirty Google! - George Taylor

    • I don't care if it is javascript or some other language, the problem is the part where it runs in a web browser, which is capable (designed primarily for, even) loading code provided by the server.

      People talk about using it for authentication, but that can already be done with existing authentication protocols. Sure, it needs a client-side helper app, but places that are too strict to have the auth helper are going to be disabling any USB ports if this is going to be enabled in the browser; and maybe preemp

  • by Imazalil ( 553163 ) on Monday April 11, 2016 @01:44PM (#51886253)

    Did all the Active X developers end up at Google?

    • by Anonymous Coward
      Yeah, after spending 5 years in a nut house.
    • The key difference is that ActiveX controls ran as native code with full permissions to everything in your user profile, while these web APIs run as managed code with finer-grained permissions. How common are JavaScript sandbox escapes lately?

      • by Junta ( 36770 )

        But how much do you put within reach of the sandbox? Given the open ended nature of the beast, what are the hopes that a browser can competently present a user with a specific enough warning about what's about to happen to allow them to make an informed decision?

      • by Dwedit ( 232252 )

        Well-known use-after-free bugs in webkit hacked the 3DS and PS4.

        • But there's a big difference between video game consoles and PCs in this respect. The owner of a PC is more likely to allow these defects to be automatically patched as they are discovered and fixed because the user has a legitimate way to install homemade software. On a console, on the other hand, the user is more likely to leave them unpatched because they are the only way that a user can run homemade (that is, unapproved) software.

  • Just wait for the ad's to abuse this or even some DMCA bs.

    No you can't run our app in a VM as that VM let's you bypass our usb dongle

  • by Anonymous Coward

    If this is widely supported, vendors will use it to build configuration GUIs for their USB devices.

    No internet connection? Device doesn't work.

    Vendor's website down? Device doesn't work.

    Vendor out of business? Device doesn't work.

    Vendor sold to EvilCorp? Pay $10/mo for a support contract to EvilCorp so your device that worked fine for years will continue to work.

    • I don't see how this is any different than driver packages today. If you have no internet or the company goes out of business then you can't download the drivers. If you have drivers on a CD then they still work. The configuration webpage/app that uses these JavaScript APIs on that CD will still work too.

      • The point the GP is trying to make is that this opens the door to vendors requiring an active internet connection to their servers just to be able to configure (or possibly even just use) your widget. If anything happens to that company, you could lose meaningful use of said widget.

        We already have stuff like this. Look at the Logitech Harmony Remote. You have to connect to their online service to be able to configure your remote. If their service ever died, you lose the ability to configure your remote.

  • Chrome could talk to HID devices for a while. That is how Fido USB keys worked.
    I hate Javascript....

  • Skeptical... (Score:4, Interesting)

    by Junta ( 36770 ) on Monday April 11, 2016 @01:56PM (#51886349)

    It seems the goal is to empower developers to skip the pesky wait for actually standardizing around 'novel' device types by giving the browser pretty open ended access to USB devices...

    As a rule, I do not believe OSes themselves allow open ended access to any device by an unprivileged user process (e.g. a browser process), USB or otherwise. So it would seem the OS model for hardware would be in the way. Incidentally, this problem should be taken as a huge red flag as why this may be an ill-conceived idea.

    I would worry that should this strategy be encouraged, we would see devices that *only* are usable within a web browser. This is the first time I can recall any managed runtime environment trying to implement an independent driver model of the underlying OS. This strikes me as particularly bad form.

    In general, Javascript can't even access arbitrary files owned by the user. This is a good thing. This is flying pretty firmly in the face of Javascript in browser being a domain specific language that has *some* security by virtue of explicitly not being allowed to do everything to a system.

    • by dgatwood ( 11270 )

      As a rule, I do not believe OSes themselves allow open ended access to any device by an unprivileged user process (e.g. a browser process), USB or otherwise. So it would seem the OS model for hardware would be in the way. Incidentally, this problem should be taken as a huge red flag as why this may be an ill-conceived idea.

      Actually, allowing unprivileged code to control most USB devices has actually been the norm for the better part of two decades. For example, OS X requires code to be privileged if it wan

  • My first thought was that they were basically doing libusb bindings for JavaScript (and then exposing those bindings within a web browser).

    But, no, those bindings already existed: https://github.com/schakko/nod... [github.com]

    I must be missing something. I'll go dig for technical details to try and figure out what.

    • Bindings for nodejs doesn't mean those bindings are in the browser.

      I am not sure what the purpose of binding libusb if you can run your own code on the computer. Just run native code.

  • Seems like the major virtualization vendors (VMware, Citrix, Microsoft) should have been all over this already with their end-user computing portfolios.
  • The design of USB was for connecting trusted peripherals semi-permanently to a machine. In that capacity, it works really well. The original design did not account for attaching things that don't trust each other. Whether it's a USB stick you pick up off the street and connect to your machine or one of those "USB charging" plugs in the airport, it's not a situation for which USB was envisioned which means we're going to be seeing security holes in this area for years even as the devices and OSes get bett
    • by amorsen ( 7485 )

      On the upside, traditional USB is so simple that it can be made reasonably secure, if anyone cares to do so. Devices can't really initiate anything, they can just wait for the host computer to get around to listening to them or assert a flag that they need servicing, hoping that the host computer cares. It is also slow enough that you can play microkernel and sandbox the USB device drivers, preventing them from messing up too badly. Once that is done, you "just" have to audit your USB host controller driver

  • How about going the whole hog and proving web API for PCI bus, interrupt handling and DMA? Think about it - drivers written in glorious JavaScript! It will be great.
  • Wait. What?!? This is for real?
    Shit!
  • Sounds Interesting - like being able to have a USB appliance without the need of running an OS on it; piggyback on the standards compliant Host OS which would have a browser for accessing and controlling the appliance.
  • Is this something new? I've plugged things in using USB, and got software updates from webpages before.
  • I see that literally no one read the spec (yes, I realize this is Slashdot). To the creator's credit, they have thought about security from the point of malicious Javascript accessing USB. They spec makes that highly unlikely as the USB device has complete control over who can talk to it. The problem is that as far as I can tell, they have given a malicious USB device yet another way to talk to a command-and-control server and get code execution (albeit in a sandboxed browser, using Javascript). Of cou
  • WebSystemd, you know its coming !!!!
  • by Anonymous Coward

    How the bloody hell did these two morons (this idea really confirms this) get a job as Google developers? There is no such thing as perfect software. It is virtually guaranteed this will be exploited. This "idea" is why JavaScript isn't supposed to have access to anything outside the browser. And the internet is so much safer now then when JavaScript was developed. And also it isn't like i-frames haven't been abused in the past. Yep, perfectly safe.

  • This enables you to write a till or cash register screen and get it to talk to an attached ESC/POS receipt printer and cash drawer and chip and pin terminal and have that run in a browser process with no locally installed proxy process to get access to it. It isn't for your mouse and webcam.

  • A fairly trivial cgi can already do this with the user-space USB API.
  • by Tom ( 822 )

    "What could possibly go wrong?" was rarely written in such big and bright letters.

    You're already (IMHO) grossly negligent if your browser doesn't run in a sandbox. But sure, give it USB access. That's only where your keyboard and mouse are also connected. And maybe your external harddrive. The one with the backups.

    And for what? Solution looking for a problem?

No spitting on the Bus! Thank you, The Mgt.

Working...